With jCryption 2.0 you can communicate encrypted with the server, you are no longer bound to just encrypting forms.
This example is a litte more complicated than the other,
but if you want to use jCryption for bidirectional communication just look at the source code … you will understand it with ease.
Just a short explaination what is going on …

1) Client chooses a Password … (in the example a weak one, you should use a good random number in production e.g. mousemovement coordinates)
2) Client requests RSA Public key from Server
3) Client encrypts Password with RSA Public key
4) Server decrypts Password and stores it in the session
5) Server Encrypts the Password with AES and sends it back to the Client
6) Client decrypts it with AES with the Password
7) Both have now the same “secret” key which is used for communication

Frederik Lassen added an excellent example of how to use the “new” HTML5 Session Storage so the script is not required to request the key everytime from the server instead the “key” is stored in the session.

I do trust all of the ideas you’ve offered to your post. They are very convincing and can certainly work. Still, the posts are very quick for beginners. Could you please prolong them a little from next time? Thank you for the post.

I have used Jcryption 2.0 to encrypt username,password for ExtJs 4.0.7 form.I have developed the application on win 32 bit.Here it works fine.But when I installed the setup on win 64 bit it gives problem.When I debugged the following code ,

Great work! But “man in the middle” attack still can break encryption. Proxy script on some middle server can bypass security. In case you even can’t detect if the certificate signed with wrong certificate. SSL gives “green label” in browser bar (also containing domain name from certificate).
Am I right? Are there any ways to check AES key or determine harmful proxy?

What vantage point would one need in order to carry out an MITM attack? In other words, would you just need to be in range of an unencrypted WLAN over which the connection is taking place? Would you actually need to have access to the LAN router? Would you need to be an ISP or internet backbone? What level of privileged access is required by an attacker, if any?

No one here seems to get that. Public-private key encryption is how you handshake, you then use AES because its faster.

To put it this way, if I encrypt something with a PUBLIC encryption key, you CANNOT decrypt that same information with the PUBLIC key.

You require the PRIVATE key, which is never ever shared.

That means that no password or encryption key is ever sent in an unencrypted format, or risky format.

So how does this work?

Client asks server for PUBLIC key (which is useless to hackers).
Server gives client PUBLIC key.
Client encrypts password with PUBLIC key. Password CANNOT be decrypted using that same key.
The server uses the PRIVATE key it has, to decrypt the client’s password.

The client and the server then both use the client’s password as the encryption key for AES encryption.

Basically, they use public-private key encryption to communicate an AES encryption key. This makes the whole process 100% secure.

5) All future CLIENT -> MITM -> SERVER -> MITM -> CLIENT IO is encrypted with AES where the MITM has keys to communicate freely with both. MITM is required to function correctly as it behaves as a “gateway” of sorts between CLIENT and SERVER. If it breaks, the whole communication chain fails. But while it is running, it has full access to plain text data on the channel.

I would very much like to implement some solution that eliminates the need for a dedicated IP address for every SSL-protected domain, but I believe this solution is too weak to be taken seriously with the blatant MITM hole. I don’t even care about SSL certificate prices… the problem is IP addresses. IPv6 is not ubiquitous enough to leverage the plentiful IP’s. SNI based Virtual Hosting offers a straight forward and promising future, however it too does not yet enjoy ubiquitous support in browsers.

In bi directional communication when we send request by using $.jCryption.authenticate(),initially it works fine,but after some time it executes the authentication failed function.Why this happens? can anyone tell.

As I wasn’t able to find a Java implementation available on the web, I implemented my own version (which I called JavaCryption). It is available here: http://jcryptionforjava.wordpress.com/, including a fully working example. I hope it can be useful. Thanks.

Hi, the full source code is available on sourceforge. Indeed, I tried to use latin chars (ISO-8859-1) in the beginning, but jCryption only works with UTF-8, so I had to change the encoding. Maybe you could modify the plug-in lines 1045 and 1121 (it’s where the encoding is applied). One question: UTF-8 does not support cyrillic chars?

thanks for the tip. it might be worth noting that there must be no space btweeen the passcode and the pipe.The code here is correct. But I typed it as echo passcode | gpg The command interpreter must have included the space in my passcode and the decrypt failed. After figuring that out, this works great. Thanks again.VA:F [1.9.22_1171](from 2 votes)

Great plugin, thanks for the work on this. I’ve got it setup in a jquery mobile/backbone/requirejs/AMD app and split up the plugin file to 2 files – the plugin, and all the support libraries. At some point I’ll likely refactor the latter as it introduces many globals…will send a push request if/when I get that done.

Hi! There’s a problem using $.getJSON in IE, it caches the ajax queries (http://www.factory-h.com/blog/?p=67). If the parameters of the call to generateKeypair don’t change, IE assumes the response will be the same, and jcryption won’t work.

I am wondering if this could be used for the following purpose; I have had an auto complete tool made which caches data from tables in my server on the client side in order to achieve speed/performance. However it also exposes my tables in their entireity which I don’t want to do. Could this be used to store the data encrypted on the client machine and then the AC decrypts when populating? This way the user does not have my table in a readable format.

It depends on the structure of your table objects. Once the password is established in the session, it’s a simple matter to encrypt/decrypt – but it works on strings, not objects. You could set up a getter for your table object that called $.jCryption.decrypt(encryptedValue, sessionStorage.password). It’s fast, I think it would work well.